[Pkg-mediawiki-devel] Bug#773654: Debdiff

Sun Dec 21 15:58:34 UTC 2014

-------------- next part --------------
diff -Nru mediawiki-1.19.20+dfsg/debian/changelog mediawiki-1.19.20+dfsg/debian/changelog

--- mediawiki-1.19.20+dfsg/debian/changelog	2014-12-14 18:27:31.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/changelog	2014-12-21 13:11:10.000000000 +0100
@@ -1,3 +1,12 @@
+mediawiki (1:1.19.20+dfsg-2.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add patch fixing T76686: thumb.php outputs wikitext message as raw
+    HTML, which could lead to xss. Permission to edit MediaWiki namespace
+    is required to exploit this.
+
+ -- Sebastien Delafond <seb at debian.org>  Sun, 21 Dec 2014 13:11:10 +0100
+
 mediawiki (1:1.19.20+dfsg-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/series mediawiki-1.19.20+dfsg/debian/patches/series
--- mediawiki-1.19.20+dfsg/debian/patches/series	2014-12-14 18:22:55.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/series	2014-12-21 13:10:23.000000000 +0100
@@ -11,3 +11,4 @@
 suppress_warnings.patch
 CVE-2014-9277_1.patch
 CVE-2014-9277_2.patch
+T76686.patch
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/T76686.patch mediawiki-1.19.20+dfsg/debian/patches/T76686.patch
--- mediawiki-1.19.20+dfsg/debian/patches/T76686.patch	1970-01-01 01:00:00.000000000 +0100
+++ mediawiki-1.19.20+dfsg/debian/patches/T76686.patch	2014-12-21 13:10:21.000000000 +0100
@@ -0,0 +1,55 @@
+From fdd3f464ef9aa7f3276a2a8dddc85e3769cfda83 Mon Sep 17 00:00:00 2001
+From: Kunal Mehta <legoktm at gmail.com>
+Date: Thu, 4 Dec 2014 14:06:55 -0800
+Subject: [PATCH] thumb.php: Set proper output formats for messages going into
+ HTML
+
+* Use ->parse() instead of ->text() for wikitext messages that were
+  being treated as HTML
+* Explicitly specify ->parse() if no output format was set
+* Document that wfThumbError() takes HTML
+
+Bug: T76686
+Change-Id: Id6e7548b2e081cfda7803772ed0395a15feb1f84
+---
+ thumb.php | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/thumb.php b/thumb.php
+index 60a7ffb..a7a09fc 100644
+--- a/thumb.php
++++ b/thumb.php
+@@ -107,13 +107,13 @@ function wfStreamThumb( array $params ) {
+ 		// Format is <timestamp>!<name>
+ 		$bits = explode( '!', $fileName, 2 );
+ 		if ( count( $bits ) != 2 ) {
+-			wfThumbError( 404, wfMsg( 'badtitletext' ) );
++			wfThumbError( 404, wfMessage( 'badtitletext' )->parse() );
+ 			wfProfileOut( __METHOD__ );
+ 			return;
+ 		}
+ 		$title = Title::makeTitleSafe( NS_FILE, $bits[1] );
+ 		if ( !$title ) {
+-			wfThumbError( 404, wfMsg( 'badtitletext' ) );
++			wfThumbError( 404, wfMessage( 'badtitletext' )->parse() );
+ 			wfProfileOut( __METHOD__ );
+ 			return;
+ 		}
+@@ -136,7 +136,7 @@ function wfStreamThumb( array $params ) {
+ 
+ 	// Check the source file storage path
+ 	if ( !$img ) {
+-		wfThumbError( 404, wfMsg( 'badtitletext' ) );
++		wfThumbError( 404, wfMessage( 'badtitletext' )->parse() );
+ 		wfProfileOut( __METHOD__ );
+ 		return;
+ 	}
+@@ -291,7 +291,7 @@ function wfExtractThumbParams( $uri ) {
+  * Output a thumbnail generation error message
+  *
+  * @param $status integer
+- * @param $msg string
++ * @param string $msg HTML
+  * @return void
+  */
+ function wfThumbError( $status, $msg ) {
